Btiteam / XBTIT Forum

BTITeam => [BTITeam] Comunications => Topic started by: Lupin on April 08, 2010, 10:46:38 PM

Title: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 08, 2010, 10:46:38 PM
A possible exploit (SQL injection) was discover in the code, please update your trackers ASAP, hackers could retrieve password hash, then accessing your site like you!

Affected version:
- ALL version < revision 584

Vulnerables files:
- users.php
- torrents.php

Manual patch:

open users.php
find and replace
Code: [Select]
// getting order
          if (isset($_GET["order"]))
               $order=htmlspecialchars($_GET["order"]);
          else
              $order="joined";


          if (isset($_GET["by"]))
              $by=htmlspecialchars($_GET["by"]);
          else
              $by="ASC";
with
Code: [Select]
          $order_param=3;
          // getting order
          if (isset($_GET["order"]))
             {
             $order_param=(int)$_GET["order"];
             switch ($order_param)
               {
               case 1:
                    $order="username";
                    break;

               case 2:
                    $order="level";
                    break;

               case 3:
                    $order="joined";
                    break;

               case 4:
                    $order="lastconnect";
                    break;

               case 5:
                    $order="flag";
                    break;
                         
               case 6:
                    $order="ratio";
                    break;

               default:
                   $order="joined";

             }
          }
          else
              $order="joined";


          if (isset($_GET["by"]))
           {
              $by_param=(int)$_GET["by"];
              $by=($by_param==1?"ASC":"DESC");
          }
          else
              $by="ASC";
find and replace
Code: [Select]
         list($pagertop, $pagerbottom, $limit) = pager(20, $count,  $scriptname."&amp;" . $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");
with
Code: [Select]
         list($pagertop, $pagerbottom, $limit) = pager(20, $count,  $scriptname."&amp;" . $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;");
find and replace
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=username&amp;by=".($order=="username" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=level&amp;by=".($order=="level" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=joined&amp;by=".($order=="joined" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=lastconnect&amp;by=".($order=="lastconnect" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=flag&amp;by=".($order=="flag" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=ratio&amp;by=".($order=="ratio" && $by=="ASC"?"DESC":"ASC")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
with
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="username" && $by=="ASC"?"2":"1")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="level" && $by=="ASC"?"2":"1")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="joined" && $by=="ASC"?"2":"1")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="lastconnect" && $by=="ASC"?"2":"1")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="flag" && $by=="ASC"?"2":"1")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="ratio" && $by=="ASC"?"2":"1")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
save and close.


open torrents.php
find and replace
Code: [Select]
    // getting order
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_real_escape_string($_GET["order"]));
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);

    if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_real_escape_string($_GET["by"]));
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");
with
Code: [Select]
    // getting order
    $order_param=3;
    if (isset($_GET["order"]))
       {
         $order_param=(int)$_GET["order"];
         switch ($order_param)
           {
           case 1:
                $order="cname";
                break;
           case 2:
                $order="filename";
                break;
           case 3:
                $order="data";
                break;
           case 4:
                $order="size";
                break;
           case 5:
                $order="seeds";
                break;
           case 6:
                $order="leechers";
                break;
           case 7:
                $order="finished";
                break;
           case 8:
                $order="dwned";
                break;
           case 9:
                $order="speed";
                break;
           default:
               $order="data";
               
         }

    }
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);

    $by_param=2;
    if (isset($_GET["by"]))
      {
        $by_param=(int)$_GET["by"];
        $by=($by_param==1?"ASC":"DESC");
    }
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;");
find and replace
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=cname&amp;by=".($order=="cname" && $by=="ASC"?"DESC":"ASC")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=filename&amp;by=".($order=="filename" && $by=="ASC"?"DESC":"ASC")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=data&amp;by=".($order=="data" && $by=="ASC"?"DESC":"ASC")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=size&amp;by=".($order=="size" && $by=="DESC"?"ASC":"DESC")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=seeds&amp;by=".($order=="seeds" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=leechers&amp;by=".($order=="leechers" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=finished&amp;by=".($order=="finished" && $by=="ASC"?"DESC":"ASC")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=dwned&amp;by=".($order=="dwned" && $by=="ASC"?"DESC":"ASC")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=speed&amp;by=".($order=="speed" && $by=="ASC"?"DESC":"ASC")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
with
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="cname" && $by=="ASC"?"2":"1")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="filename" && $by=="ASC"?"2":"1")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="data" && $by=="ASC"?"2":"1")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="size" && $by=="DESC"?"1":"2")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="seeds" && $by=="DESC"?"1":"2")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="leechers" && $by=="DESC"?"1":"2")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=7&amp;by=".($order=="finished" && $by=="ASC"?"2":"1")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=8&amp;by=".($order=="dwned" && $by=="ASC"?"2":"1")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=9&amp;by=".($order=="speed" && $by=="ASC"?"2":"1")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
save and close.

your tracker should be patched

Alternatively you can download attached files and replace yours (maybe backup b4) with the new.

Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: djblackout on April 08, 2010, 11:23:01 PM
i just uploadet the files to my server how to chek if its stable now ?
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 05:21:10 AM
i patched the users.php but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php   Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found)   Ask Hack's Developer

please advise..and thanks for the fix...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: en3r0 on April 09, 2010, 09:24:06 AM
This will break the Sticky torrents mod if you do not do it manually, or reapplying the mod I think is the official way to do things.


Thanks for the fix!
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: yanchev on April 09, 2010, 12:58:34 PM
Thanks for the fix.
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 01:34:36 PM
i patched the users.php but removed hacks that would be effected(only 1) but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php   Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found)   Ask Hack's Developer

please advise..and thanks for the fix...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: friendly on April 09, 2010, 01:55:51 PM
that can be fixed m8 the xml searches for


Code: [Select]
if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";

but now the code is

Code: [Select]
if (isset($_GET["by"]))
      {
        $by_param=(int)$_GET["by"];
        $by=($by_param==1?"ASC":"DESC");
    }
    else
        $by="DESC";

just edit the xml to match the new code  ;)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 02:16:03 PM
phone rang here, just got off of it. that worked, thanks m8 :) much obliged...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: friendly on April 09, 2010, 02:24:07 PM
no probs m8 happy to help  :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 03:10:46 PM
this has been bugging me friendly. my site still isnt up to par without the thanks hack, this error:

D:\xampp\htdocs\terraj3/style/xbtit_default/torrent.details.tpl   Sorry search string: "<tr>
<td align="right" class="header"><tag:language.INFO_HASH /></td>
<td class="lista" align="center"..." (first 20 chars) was not found)

the thanks.php is in root and i commented out the path from the xml, manually installed it, also uninstalled 'fore the sec patch.

please advise and thanks very much for your assistance.. :)

Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 10, 2010, 12:00:59 AM
the best way is applying manually the patch on already modified torrents.php (with hacks installed)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: pedro444 on April 12, 2010, 12:23:31 AM
tremoço. CORREÇÃO DE SEGURANÇA dá o tracker CyBerFuN xBTiT totalmente MODDED
é porque eu enfectado..thanks   :-[
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: robbee on April 13, 2010, 01:07:16 PM
how do i combine the torrents.php fix with the gold torrents mod? the part i have to replace looks like this:

Code: [Select]
    // getting order
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_escape_string($_GET["order"]));
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);


/*Mod by losmi - gold mod*/
/*Mod by losmi - sticky mod
Operation #4*/
if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_escape_string($_GET["by"]));
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 13, 2010, 10:34:04 PM
you can do it like explained on 1st post, just ignore
Code: [Select]
/*Mod by losmi - gold mod*/
/*Mod by losmi - sticky mod
Operation #4*/

from your code
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: alein on April 14, 2010, 07:51:20 AM
I use btit 1.4.8 any security problem on this version?
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 14, 2010, 11:57:45 PM
yes, I guess btit versions are affected by same vulnerabilities
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Delius on April 20, 2010, 03:08:15 AM
I made the changes but pager in users.php didn't work properly (because $by_param isn't available in all cases). Then I made this change, from:


Code: [Select]
         if (isset($_GET["by"]))
           {
              $by_param=(int)$_GET["by"];
              $by=($by_param==1?"ASC":"DESC");
          }
          else
              $by="ASC";

to:

Code: [Select]
         if (isset($_GET["by"]))
          {
              $by_param=(int)$_GET["by"];
              $by=($by_param==1?"ASC":"DESC");
          }
          else
          {
              $by_param=1;
              $by="ASC";
          }

Is this ok?

Sorry my english and thanks a lot for your work :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 20, 2010, 04:27:17 AM
yes, sorry I forgot this :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: punsikorn on February 18, 2019, 11:38:13 PM
Thanks for the fix!
gclub casino (https://gclub-slotonline.net/)